Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Are they less vulnerable to SQL injection than doing stuff like mysql_query("SELECT important_data FROM users WHERE password = $password")?
They are more secure than what you are doing. Your query is posting raw SQL to the db which means that your parameters aren’t treated as sql parameters but as plain old sql.
Here is what I mean.
With a stored prococedure the password variable can’t be sql, it has to be a piece of information the system is looking for. In your example what is actually sent to the db is
SELECT * FROM User where password = (‘your password here’–$Password variable)…..so someone can do something like
SELECT * FROM user WHERE Password = (‘your password here’;SELECT * FROM User –$password variable).
or worse yet:
SELECT * FROM user WHERE Password = (‘your password here’;DROP Database Database_Name –$password variable).
A non-dynamic sql stored procedure won’t allow this, because the input parameter won’t execute as extra sql.
Parametrized SQL does take care of this, but technically stored procedures are still a little more secure, because the user accessing information in the table doesn’t need Read Access. It only needs to be able to execute the stored procedure. Depending on your need this may or may not come into play.